Social Icons

Tuesday, September 30, 2014

Dyman Associates Risk Management: 10 lessons learned from major retailers' cyber breaches

There has been extensive adverse publicity surrounding what has become the largest data breach in the retail industry, affecting Target and two other U.S. retailers. In November-December 2013, cyber thieves executed a well-planned intrusion into Target’s computer network and the point-of-sale terminals at its 1,800 stores around the holiday season and successfully obtained not only 40 million customers’ credit and debit card information, but also non-card customer personal data for as many as 70 million customers. In addition, 1.1 million payment cards from Neiman Marcus and 3 million cards used at Michaels were reportedly exposed.

The respected Ponemon Institute announced this June it believes that hackers have exposed the personal information of 110 million Americans—roughly half of the nation’s adults—in the last 12 months alone, and this number reflects the impact of major retailer breaches and others in different governmental or business sectors, but does not include hacks revealed in July-August 2014.

As we speak, there are news reports about the discovery of large quantities of personal information (including user names and passwords) mined from many websites by a Russian-based hacker group and new malware threats focused at retailers. According to a report released by the U.S. Department of Homeland Security, technology that is widely used to allow employees to work from home or permit IT and administrative personnel to remotely maintain systems is being exploited by hackers to deploy point-of-sale (PoS) malware that is designed to steal credit card data. This threat is being called “Backoff Malware”.

Homeland Security estimates it has been around since October 2013 with a very low antivirus detection rate at the time it was discovered, meaning that even systems with fully updated and patched antivirus software would not be able to identify Backoff as malicious malware.

Snapshot of Target

Target announced at the end of February 2014 that the company’s profit fell by 40% in the fourth quarter of 2013. The company reported $61 million pretax expenses related to the breach, but expected $44 million in cyber insurance payments against this figure. These expenses were incurred for legal costs, breach notification, forensics, and PR/crisis management to date. However, the worst financial costs are yet to come. A senior Gartner analyst estimated that the total exposure to Target could be $450–$500M, which considers lawsuits, regulatory investigations, breach response, fines and assessments, loss of revenue and security upgrades.

Both the cyber insurance and directors & officers insurance programs at Target are involved, since Target announced significant revenue/profit shortfalls caused by brand damage/customer fallout and costs to improve IT security. At least two derivative shareholder actions have been filed, which have triggered Target’s D&O insurance.

More than 100 lawsuits are pending against Target at this time, with many consumer class actions and some actions filed by individual financial institutions, claiming for costs of cancelling and reissuing compromised cards, absorbing fraudulent charges made on the cards, and the loss of anticipated fee income from the holiday season. There has been activity to consolidate these lawsuits into three groups of plaintiffs to facilitate the legal process.

Allegations surround Target giving network access to a third-party vendor, a small HVAC company with weak security, which allowed the attackers to gain a foothold on Target’s network. From that point of entry, the attackers allegedly moved to the most sensitive areas of Target’s network storing customer information. Malware installed at POS terminals utilized so-called “RAM scraping,” and the attack apparently proceeded despite apparent warning signals.

Target staff had urged the company to review the security of its payment system months prior to the breach, according to American Banker and Wall Street Journal reports. Some financial institution plaintiffs are alleging that as early as 2007, Target was warned by a data security expert about the possibility of a data breach in its point-of-sale system. Banks claim that a layered security system would have made the hackers’ task more challenging—Brian Krebs, a noted security analyst, describes a “POS kill chain” for more effective layered security posture.

Monday, September 29, 2014

Dyman Associates Risk Management : So You Think You Have a Point of Sale Terminal Problem?

If your company has a Point of Sale (POS) terminal anywhere in its infrastructure, you are no doubt aware from the active media coverage that malware attacks have been plaguing POS systems across the country.

Just within the past week, the New York Times has reported that:

§  Companies are often slow to disclose breaches, often because of the time involved in immediately-required investigations;
§  Congress is beginning to make inquiries of data breach victim companies; and
§  Even those companies who have conducted cybersecurity risk assessments still get attacked, often during the course of implementing new solutions to mitigate potential problems and protect their customers’ payment cards or other personal information.
§  Former employees can be a source of information to the media about your efforts to investigate and secure your POS systems.

No Quick Fix

Even the best intentions, most competent efforts and unlimited budgets cannot fix a problem such as this overnight.  These fixes take time, and have become an unavoidable symptom of having POS terminals.

What should your company do?

(1) Launch a cybersecurity risk assessment, if you have not yet done so.

(2) Protect your risk calculations by engaging outside counsel and qualified cybersecurity experts to provide legal risk advice protected by the attorney-client privilege.  Keep C-suite executives and Boards of Directors informed.  The outside counsel, together with experts, should:

§  educate and advise directors and executives on legal and business risks associated with your company’s particular threats and vulnerabilities;
§  engage a qualified, experienced external cybersecurity team to review technical infrastructure and identify vulnerabilities stratified and prioritized by risk, likelihood of being exploited, and costs and time involved in remedying each one;
§  review  operational procedures across a multi-disciplinary team in your company, which are often overlooked and can have the greatest impact on the overall health of your risk profile;
§  help identify the most sensitive categories of information in your organization and develop data governance procedures tailored to your organization to add yet another layer of protection for your most sensitive assets;
§  regularly remind your team members, including from your third-party vendors engaged by counsel, about privilege and confidentiality obligations.

(3) Treat cybersecurity risk assessments and remediation efforts as an iterative process.  Constantly review your multi-disciplinary team’s recommendations as they change week by week or day by day.  Re-evaluate the spend allocated based on updated information about your risk landscape as the investigation and assessment progresses.

(4) Stay informed about updated regulatory requirements and case law on cybersecurity and privacy.  Ensure stakeholders understand these updates and charge them with implementing appropriate changes in their domains.

(5) Recognize that there is no such thing as perfect security, but that there is a tipping point over which your company will move outside the category of high-risk operations and into a safe zone.

(6) Allocate the necessary resources to get the job done – and done well.  If your company goes an extra mile in building security policies, procedures and technology that are better than industry standard, you can use your low risk profile as a market differentiator.  In addition to reducing litigation and reputational risks, validated strong security will increase customer confidence and loyalty.

(7) Review your insurance policies for adequate coverage to address interim risks.  While reputational risk cannot be insured against, insurance can be very valuable in the event of a breach.

In the retail industry in particular, the widespread compromises in Point of Sale Terminals resulting in staggering amounts of payment card theft is a hallmark of 2014.   A decrease in brand reputation alone is too high a cost to ignore.   If your company is – very understandably – not equipped to tackle the daunting task of finding and prioritizing vulnerabilities and choosing the best cybersecurity governance and technical plans, find someone who is.

Sunday, September 28, 2014

Dyman Associates Risk Management: eBay In Security Storm With Dangerous Flaw Wide Open

Auction site eBay has found itself in the midst of another security storm after apparently choosing to leave a security hole wide open – in the interests of user functionality – as customer details were being stolen.

It is the latest in a trio of serious cybersecurity problems at the company this year, following a database breach in May, and the theft of details from its StubHub ticket site customers two months later.

eBay allows highly visual JavaScript and Flash content to be included in its listings, which is a somewhat unsurprising step – however, the company reportedly knew for months that a number of hackers were manipulating this code for malicious content, and left the ability to add the code largely as it is, in the interests of offering sellers attractive auction listings.

Cyber criminals have been using the technology to introduce cross-site scripting (XSS) – in which customers are led to a fake, eBay-mimicking site to enter their payment details. At least 100 exploited listings have been identified by the BBC, which reports that the problems continue even though eBay may have been aware of them since February.

‘Not An Okay Situation’

Security experts have lambasted eBay’s handling of the problems. Chris Oakley, principal security consultant at testing firm Nettitude, says he would expect “all organizations, particularly those with vast quantities of customer data to protect” to have the required, standard cross site scripting defenses in place.

“This hat-trick of security incidents will surely do the company no favors in terms of restoring and maintaining consumer confidence,” adds Paul Ayers, European VP at data security vendor Vormetric, and Mikko Hypponen, chief research officer at security firm F-Secure, describes the situation as “not okay”. Independent expert Graham Cluley told The Drum website that eBay was not in “proper control” of the situation, which he described as “embarrassing”.

Solving The XSS Problem

Experts have proposed a number of solutions for eBay, including simply removing the harmful code or listings, or providing its own Javascript editor in which sellers’ code can be more easily managed and controlled.

Dr Adrian Davis, EMEA managing director at security organization (ISC)2, tellsForbes that XSS is a well known threat, adding that “we can’t afford to tolerate relatively simple security issues like this, especially for a company as massive as eBay”.

Sites with the issue “need to update their current code to remove the vulnerability”, he says. “Functionality for the user would not be impaired, providing the code running in the browser and application is written properly.”

He warns that developers need to be much better trained to write secure code and not focus solely on usability, with “fully qualified and certified individuals, such as those holding (ISC)2’s CISSP or CSSLP” qualifications being involved “throughout the entire process”.

“This is an issue that must rise above the purely technical considerations and go onto the agendas of management and business leaders that are driving the development projects. Only then would we see investment in curbing incidents like these.”

Act Much More Quickly

Randy Gross, chief information officer at industry association CompTIA, says that it is “always difficult” for organizations to strike the right balance between security and convenience. But he adds: “With financial transactions, especially given recent high profile attacks, the pendulum needs to swing hard back toward security and give consumers the confidence their information is secure.”

Fayaz Khaki, an associate director of information security at IDC, adds in aForbes email interview that it is always difficult for large and complex sites, such as eBay, to be completely XSS free. “However, once an XSS vulnerability has been identified the organization must act quickly to remove the vulnerability”, even if it means removing a listing.

Active content such as Javascript, he says, should only be used where completely necessary, and regular monitoring and vulnerability assessments ought to be carried out to minimize risk.

“XSS vulnerabilities have existed for a number of years and really companies such as eBay, that came into existence solely as an internet organization, should be on top of these types of vulnerabilities and should have the capability to identify and mitigate these vulnerabilities very quickly.”

eBay said in a statement that cross site scripting risks exist across the internet, and that it has “hundreds” of engineers and security experts who collaborate with researchers to make its own site both usable and safe.

It added: “We have no current plans to remove active content from eBay. However, we will continue to review all site features and content in the context of the benefit they bring our customers, as well as overall site security.”

Criminals behind cross site scripting and phishing activity adapt their code and tactics “to try to stay ahead of the most sophisticated security systems”, it said. “Cross site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code.”

Friday, September 26, 2014

Dyman Associates Risk Management Study: Mobile Health Apps Need Risk Assessment, Framework

Mobile health applications need a risk assessment model and a framework for supporting clinical use to ensure patient safety and professional reputation, according to a study published in the Journal of Medical Internet Research,  FierceHealthIT reports.

Study Details

For the study, researchers at Warwick Medical School in the United Kingdom analyzed the current regulatory oversight of mobile apps and identified several different kinds of risks associated with medical apps and ways to address those risks (Mottl, FierceHealthIT, 9/20).

The researchers defined a mobile medical app as "any software application created for or used on a mobile device for medical or other health-related purposes."

Study Findings

The researchers noted that there is not currently a clinically relevant risk assessment framework for mobile health apps, meaning health care professionals, patients and mobile app developers face difficulty in assessing the risks posed by specific apps.

They identified several risks associated with using mobile health apps, including:

  • ·         Hindering professional reputation;
  • ·         Causing possible patient privacy breaches;
  • ·         Resulting in low-quality; and
  • ·         Providing Poor medical advice.

The authors also outlined some of the most common variables that can affect those risk factors, including:

  • ·         Apps that contain inaccurate or out-of-date information;
  • ·         Inappropriate use by patients; and
  • ·         Inadequate user education (Lewis et al., Journal of Medical Internet Research, 9/15/14).

Of those, the researchers warned that a lack of education poses the biggest threat to patient safety and recommended that health care professionals begin learning about the apps' risks before prescribing their use to patients.

Overall, the study's authors called for a formal risk assessment framework for mobile health apps to help reduce the "residual risk" by identifying and implementing various safety measures in the future development, procurement and regulation of mobile apps. They argued that medical apps will flourish in the health care industry after a process has been created to ensure their quality and safety can be "reliably assessed and managed" (FierceHealthIT, 9/20).

Thursday, September 25, 2014

Dyman Associates Risk Management: A Mobility Checkup

I recently attended the Healthcare Innovation Challenge where I met some customers and took a look at various healthcare IT challenges and innovations. I came away with a couple of strong impressions about the role of mobility in healthcare, in addition to some best practices for healthcare companies to follow.

First, it was exciting to see how integrated mobility is with the core mission of many of the companies, and how important it has become for healthcare workers to be untethered from a PC or workstation. For example, a medical scanning and data collection company can now run its scanners from a remote location using tablets, which has increased safety by enabling technicians to review data in real-time without being in the same room as the diagnostic equipment. Tablets have also increased efficiency and productivity by enabling fewer technicians to monitor multiple scanners, and the touch user interface—swiping and pinching to analyze the scans, for example—is far preferable to traditional mouse clicks.

Another company provides brain exercises—in the form of role-playing games—for patients who have experienced brain trauma. The games are played exclusively on tablets, offering more flexibility for patients and providing a familiar, effective and fun user interface that encourages usage.

Many companies at the event made it clear that they still face major challenges to mobility. HIPAA and other privacy regulations require every mobile strategy involving patient data to meet stringent requirements. Is patient data stored on a device? How is it secured? Can non-authorized users access private information? Can the compliance of the device be validated?

In developing a security strategy for their mobile devices, healthcare companies struggle with choosing among various options, including a secure workspace and virtualization. Virtualization stores no information on the device, while a secure workspace stores data on the device in a protected container, which IT can wipe (though not a user’s personal information) if necessary. Fortunately, organizations aren’t limited to one path—many use both solutions for users with different risk profiles.

Another difficulty for many healthcare providers is that tech-savvy workers, especially doctors and nurses, are driving the demand for mobility, putting significant pressure on IT to move more rapidly than they otherwise would

So how can healthcare companies overcome these challenges? Consider these simple best practices:

·         Map out all your different use cases—including what users want—and study the available technologies. Then choose the mix of solutions that satisfies your needs.
·         Don’t consider just today’s use cases. Anticipate future innovations. For example, some devices already have built­-in heart-rate monitors. Other biometric capabilities coming to devices include identifying fingerprints, faces, voices and irises. To keep progressing on your mobility journey, track the technologies in development and plan for how to integrate them into your workflows.
·         Don’t fall into the trap of feeling that you can’t deal with the explosion of new capabilities. By focusing on users and workflows, you can look at every new capability as an opportunity to improve productivity, drive down costs and improve the ways healthcare is delivered.